on today's episode of things you didn't want to learn:

do_ssl3_write() is recursive. and not in the simple, obvious way, but in
the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia)
this then has a decent chance of releasing the buffer that we thought we
were going to use. check for this happening, and if the buffer has gone
missing, put another one back in place.
the direct recursive call is safe because it won't call ssl3_write_pending
which is the function that actually does do the writing and releasing.
as reported by David Ramos to openssl-dev:
http://marc.info/?l=openssl-dev&m=139809493725682&w=2
ok beck

2 files changed, 8 insertions, 0 deletions

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 60c51146ac..5ef25a4059 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                 if (i <= 0)
                         return (i);
                 /* if it went, fall through and send more stuff */
+                /* we may have released our buffer, so get it again */
+                if (wb->buf == NULL)
+                        if (!ssl3_setup_write_buffer(s))
+                                return -1;
         }
 
         if (len == 0 && !create_empty_fragment)
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 60c51146ac..5ef25a4059 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                 if (i <= 0)
                         return (i);
                 /* if it went, fall through and send more stuff */
+                /* we may have released our buffer, so get it again */
+                if (wb->buf == NULL)
+                        if (!ssl3_setup_write_buffer(s))
+                                return -1;
         }
 
         if (len == 0 && !create_empty_fragment)